Debian DSA-1095-1 : freetype - integer overflows

high Nessus Plugin ID 22637

Synopsis

The remote Debian host is missing a security-related update.

Description

Several problems have been discovered in the FreeType 2 font engine.
The Common vulnerabilities and Exposures project identifies the following problems :

- CVE-2006-0747 Several integer underflows have been discovered which could allow remote attackers to cause a denial of service.

- CVE-2006-1861 Chris Evans discovered several integer overflows that lead to a denial of service or could possibly even lead to the execution of arbitrary code.

- CVE-2006-2493 Several more integer overflows have been discovered which could possibly lead to the execution of arbitrary code.

- CVE-2006-2661 A NULL pointer dereference could cause a denial of service.

Solution

Upgrade the libfreetype packages.

For the old stable distribution (woody) these problems have been fixed in version 2.0.9-1woody1.

For the stable distribution (sarge) these problems have been fixed in version 2.1.7-2.5.

See Also

https://security-tracker.debian.org/tracker/CVE-2006-0747

https://security-tracker.debian.org/tracker/CVE-2006-1861

https://security-tracker.debian.org/tracker/CVE-2006-2493

https://security-tracker.debian.org/tracker/CVE-2006-2661

http://www.debian.org/security/2006/dsa-1095

Plugin Details

Severity: High

ID: 22637

File Name: debian_DSA-1095.nasl

Version: 1.23

Type: local

Agent: unix

Published: 10/14/2006

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:3.0, cpe:/o:debian:debian_linux:3.1, p-cpe:/a:debian:debian_linux:freetype

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/10/2006

Vulnerability Publication Date: 5/2/2006

Reference Information

CVE: CVE-2006-0747, CVE-2006-1861, CVE-2006-2661

BID: 18034

DSA: 1095